CAS series: Portal and SSO

Enterprise Single Sign-on

As a basic internal portal platform for enterprises, enterprise information portals are mainly used to integrate existing business systems, data resources, and human resources to achieve reasonable gathering of information (data; by implementing a unified user and a unified access portal, you can access the integrated information resources on the portal platform to effectively utilize the resources and give full play to the use value of the existing resources of the enterprise, improve production efficiency. As a key technical means, the portal application integration technology enables single-point login and content aggregation between the portal website and the business system.

Basic Concepts

 

PortalPortlet

Portlet is a special type of web module. It is designed to run in the portal environment and is an independent application for developing, deploying, managing, and displaying small portals. The Portlet is not just a simple view of the existing web content. The Portlet is a complete application that complies with the Standard Model-View-controller design. The Portlet has multiple statuses and viewing methods, as well as the ability to send events and messages. Meanwhile, Portlet is a reusable web module that runs on the Portal Server and provides access to web-based content, applications, and other resources.

 

Single Sign-onSSO

You only need to log on to the portal system once to access authorized topics or other applications. You only need to remember one account. By providing an information framework for secure login access and centralized management of application software and data, you only need to log on once to gain access to all enterprise applications within the authorization scope.

 

 

In addition:

Generally, enterprises now have many business systems, and many of these business systems are related to each other. Such as ERP, CRM, supply chain management, OA, database system, and data warehouse. These businesses need to be integrated. Enterprise Application Integration can be divided into user interface integration, business process integration, application integration, and data integration.

User Interface integration: Integration of user interaction.

Process Integration: business process integration across application systems.

Application Integration: interaction between multiple application systems.

Data (integration) to ensure that the information in multiple systems is consistent.

 

Relationship between portal and SSO

The portal and business system implement SSO (single-point login). The portal uses the Portlet technology to provide access connections for business applications. When a user clicks the connection on the portal site page, or, when you directly access the service module Portlet of a third-party system on the portal page, the system will automatically log on to the business system to be accessed without further user authentication.

The implementation of Single Sign-On can start from different technical aspects, generally divided into "client-web app SSO) "and" portal-back end SSO ", each of which has corresponding technical implementation. The portal Single Sign-On service:

 

 

 

 

Real SSO and pseudo SSO

 

1) Real SSO

The portal system is used to establish a unified SSO authentication center. After the SSO center authentication is passed, the application system uses the sso api to communicate with the Portal Server to verify whether the user has been authenticated. Most newly developed application systems use this SSO implementation method. In this way, the authentication module of the application system needs to be modified. In most cases, using the trust associated Interceptor (TAI) is also a common way to establish an SSO authentication center.

The Portal Server implements the Java authentication and authorization Service (JAAS) architecture. JAAS provides a method to authenticate subject and provide fine-grained access control. JAAS is part of the standard Java security model. It makes applications independent of the underlying authentication and authorization mechanisms used.

JAAS uses a modular service provider interface to perform login and logout operations. The creden created through the JAAS logon module of the portal include the CORBA creden。, user and group private names, user IDs and passwords, and ltpa tokens. In a distributed J2EE environment, the Portlet can use the jaas api to access the backend applications with JAAS enabled.

The establishment of the authentication center can be achieved using the JAAS security model. For example, the portal and application systems can be unified through the ltpa token technology that comes with WebSphere, use the portal to establish a public ssotoken for unified authentication. It can also be implemented through some open-source authentication modules, such as CAS and opensso.

 

2) pseudo SSO

 

After passing the WebSphere Portal authentication or SSO center authentication, the application system must perform user authentication on its own. This method applies to application systems that cannot modify the authentication module. In this case, you can use basic interfaces of the application system, such as URL + User + password, and form filling.

 

Several methods of pseudo SSO:

 

A.Based onFormMethod

In this way, the user creden related to the business system are submitted by simulating the user creden and passed to the business system authentication module.

This method is suitable for the business system authentication method to be integrated using the from form. When the form is encapsulated using the Portlet technology, it contains the user creden。 related to the business system and the resource URL. By submitting the user creden。 required by the business system through form, simulate user login, and the business system sends the resources required by the user to the user through web.

It is applicable to B/S-based Web business application systems and provides the form authentication service in user authentication mode.

B. url

The user credenurl are directly sent to the business system through a URL. The authentication program of the business system obtains the user credenurl from the intercepted user request URL to achieve single-point login between the portal and the business system. You can also store the user creden in the HTTP request header. The business system authentication program parses the HTTP request header information to obtain the user creden.

C.Simulate session

Simulate the authentication status of the application system using the interfaces of WebSphere Portal and application system.

D.Simulate Certificate

The user authentication method for business systems that implement Single-point login is not based on form or HTTP header. The client (the portal information system will be used as the client, and the business system will be used as the server) to provide the customer's electronic certificate. This requires the use of the Portlet application, or a J2EE application to simulate sending an electronic certificate to the business system authentication module.